The seven most dangerous attack techniques: A SANS Institute rundown

From ransomware to weak random number generators, the RSA Conference explores the worst threats and how to stop them.
Written by Stephanie Condon, Senior Writer

It's become painfully clear that the threats of cyberattacks is no longer theoretical -- individuals, businesses, and critical national infrastructure are all at risk. At the RSA conference in San Francisco, Calif., on Wednesday, experts from the SANS Institute ran down their list of the seven worst threats and what to do about them:


Ransomware combined with crypto currencies has become a powerful tool for bad actors, said Ed Skoudis, who leads SANS Pen Testing and Hacker Exploits Immersion Training Programs. There are more than 150 different active families of crypto ransomware available today, he noted, and organizations surveyed say it's one of their top fears.

Why is it ideal for the bad guys? There's no need for command and control channel; they don't have to exfiltrate data and the victim ultimately comes to them. Skoudis laid out a number of steps to prevent ransomware attacks, some of which mirrored what experts said earlier in the RSA conference: Maintain system and network hygiene, keep user permissions limited, and minimize shared workstation environments. Additionally, he said, it's important to have a plan: "If you're getting hit with ransomware, who is it who decides whether you pay or not? You need to decide who decides."

IOT Attacks

As more "things" come online, the more vulnerabilities exist. IOT, Skoudis said, has started to evolve as an attack platform for denial-of-service attacks to perhaps other kinds of attacks in the future. The steps to curb this are simple, Skoudis said: It starts with changing default passwords. Users should set up separate IOT accounts, "so you're not buying things in iTunes or buying stuff on Amazon using the same account that's controlling your lights." Organizations should conduct penetration tests. Meanwhile, everyone should vigorously push vendors to clean this all up -- that means participating in recalls.

When ransomware and IOT collide

Given how much money criminals can make with ransomware, it's logical they would use that tool to exploit IOT vulnerabilities. Just recently, hackers hijacked electronic keycards at an Austrian hotel and demanded a ransom for them.

Industrial control system attacks

The 2015 and 2016 attacks against Ukrainian utilities were highly coordinated, said Michael Assante, director of industrials and infrastructure at the SANS Institute. Assante was technical director of the US team that helped the Ukraine in the aftermath of the attacks. The attackers are growing more sophisticated, Assante said, and going after not just ICS but also the systems that would enable their recovery.

That begs the question, Assante said, "How much automation is too much?" Obviously automation enables higher productivity and new efficiencies. "But you have to keep in mind as you do that, we become dependent on that very technology," he said. "Where power outages might not be measured in hours, they might be measured in days."

Attacks against random number generators

The problem with random number generators, said Johannes Ullrich, dean of research at SANS Technology Institute, is that "it's really hard to tell which one is good." A CNCert survey of 25 open-source bitcoin projects found 162 insecure random number vulnerabilities across the 25 projects. Meanwhile, small devices make it difficult to collect enough random events to initialize the algorithms that create random numbers, which can make WPA2 encryption vulnerable.

Reliance on web services as a software component

The growing popularity of new technologies like containers and server-less computing exposes software to new risks, Ullrich said. Services need to be authenticated, and data received needs to be validated.

Threats against NoSQL databases

For NoSQL databases like MongoDB or Elastic Search, developers can't rely on prepared statements or proper configuration of user accounts for security. Complex data types like JSON and XML expose new deserialization threats.

The SANS Institute's Internet Storm Center DShield sensor network, reporting on traffic received by more than one million active IP addresses, sees a continuous stream of scans for vulnerable "nosql" databases. A vulnerable nosql database will be discovered within hours of exposure to the Internet. "If you do have an insecure MongoDB database, it's too late," Ullrich said.

VIDEO: Ransomware is getting worse: It'll now hold your system hostage

Editorial standards